NCM-CLI
The command-line tool for NodeSource Certified Modules 2.0 — designed to make code quality, security, and compliance a breeze. Generate a custom project report, fetch compliance and security information, manage organizational whitelists, and inspect specific packages in greater detail — all from the command-line.
Additional NodeSource Certified Modules v2 information is available on the NodeSource documentation site.
Installation
$ npm install -g ncm-cli
Usage
$ ncm <command> [options]
$ ncm help <command>
Authentication
ncm-cli supports three forms of authentication (required).
1. NodeSource Account:
Sign-in interactively using your NodeSource account email and password.
$ ncm signin
2. Single Sign-on
- Using a Google account:
ncm signin -G, --google - Using a GitHub account:
ncm signin -g, --github
3. Environment Variable (CI/CD)
$ NCM_TOKEN=<token> ncm <command> [options]
Learn more about obtaining NodeSource service tokens and configuring permissions here.
ncm report
Generates a project-wide report of directory risk and quality of installed or specified packages. The top five riskiest modules detected will be displayed alongside a concise project report.
The directory to generate a report from may be specified via ncm report <dir>.
Defaults to using the current working directory.
$ ncm report
╔════════════╗
║ foo Report ║
╚════════════╝
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|➔ Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|➔ Run `ncm report --filter=compliance` for a list
! 1 used modules whitelisted
|➔ Run `ncm whitelist --list` for a list
─────────────────────────────────────────────────────────────────────────────────────────────────
Top 5: Highest Risk Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ mime @ 1.3.4 │ |||| Crit │ ✓ MIT │ X 1L │
│ superagent @ 1.8.5 │ |||| Crit │ ✓ MIT │ X 1M 1L │
│ form-data @ 1.0.0-rc3 │ |||| High │ ✓ MIT │ ✓ 0 │
│ formidable @ 1.0.16 │ |||| High │ X UNKNOWN │ ✓ 0 │
│ mime @ 1.2.11 │ |||| High │ X UNKNOWN │ X 1L │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
Full Reports
A report with a list of all modules can be generated by passing --long, -l.
$ ncm report --long
╔════════════╗
║ foo Report ║
╚════════════╝
23 packages checked
! 2 critical risk
4 high risk
4 medium risk
10 low risk
! 6 security vulnerabilities found across 5 modules
|➔ Run `ncm report --filter=security` for a list
! 2 noncompliant modules found
|➔ Run `ncm report --filter=compliance` for a list
─────────────────────────────────────────────────────────────────────────────────────────────────
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ qs @ 6.3.1 │ |||| Crit │ ✓ BSD-3-Clause │ X 1H │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
─────────────────────────────────────────────────────────────────────────────────────────────────
Non-whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ mime @ 1.3.4 │ |||| Crit │ ✓ MIT │ X 1L │
│ superagent @ 1.8.5 │ |||| Crit │ ✓ MIT │ X 1M 1L │
│ form-data @ 1.0.0-rc3 │ |||| High │ ✓ MIT │ ✓ 0 │
│ formidable @ 1.0.16 │ |||| High │ X UNKNOWN │ ✓ 0 │
│ mime @ 1.2.11 │ |||| High │ X UNKNOWN │ X 1L │
│ qs @ 2.3.3 │ |||| High │ ✓ BSD-2-Clause │ X 1H │
... etc ...
│ mime-types @ 2.1.22 │ |||| None │ ✓ MIT │ ✓ 0 │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
Filters
Reports may be filtered based on any of the following flags:
-
--compliance, -c- only display non-compliant packages. -
--security, -s- only display packages with vulnerabilities.
Options
-
--json, -j- Formats the report in JSON (disabled by default)
ncm details <module{@version}>
Returns a detailed report about a specific module version.
Defaults to using the latest version as published to npm if no version is provided.
$ ncm details client-request@2.3.0
╔═════════════════════════════════════════╗
║ client-request @ 2.3.0 (within ncm-cli) ║
╚═════════════════════════════════════════╝
┌──────┬───────────┐
│ |||| │ None Risk │
└──────┴───────────┘
Security Risk:
✓ 0 security vulnerabilities found
C 0 critical severity
H 0 high severity
M 0 medium severity
L 0 low severity
┌───┬─────────────────────────────┐
│ ✓ │ No Security Vulnerabilities │
└───┴─────────────────────────────┘
License Risk:
┌───┬─────┐
│ ✓ │ MIT │
└───┴─────┘
Module Risk:
┌───┬────────────────┐
│ ✓ │ No Module Risk │
└───┴────────────────┘
Code Quality (does not affect risk score):
┌───┬────────────────────────────────────────────────────────────────────────────────────────────┐
│ ! │ This package version's size on disk is 40.0 kB. │
└───┴────────────────────────────────────────────────────────────────────────────────────────────┘
Required By (leftmost is directly in your package):
┌────────────────────────────────────────────────────────────────────────────────────────────┐
│ (Directly in your package) │
└────────────────────────────────────────────────────────────────────────────────────────────┘
ncm install <module{@version}>
Runs and displays ncm details <module{@version}> with an interactive confirmation prompt.
If confirmed, attempts to run npm install <module{@version}> with any additional options provided.
The config keys installBin and installCmd can adjust this to work with other package installers if necessary.
For more information, see ncm config --help.
ncm whitelist
Display or modify your NodeSource organization’s module whitelist.
ncm whitelist --list
Returns a list containing each module in your NodeSource organization’s whitelist. Public modules are listed alongside their risk score, license compliance, and security summary.
$ ncm whitelist --list
╔══════════════════════════════╗
║ personal Whitelisted Modules ║
╚══════════════════════════════╝
2 modules total
─────────────────────────────────────────────────────────────────────────────────────────────────
Whitelisted Modules
-------------------------------------------------------------------------------------------------
Module Name Risk License Security
┌──────────────────────────────────────────┬────────────┬───────────────────────┬───────────────┐
│ express @ 4.0.0 │ |||| None │ ✓ MIT │ X 1M │
│ qs @ 6.3.1 │ |||| None │ ✓ BSD-3-Clause │ X 1H │
└──────────────────────────────────────────┴────────────┴───────────────────────┴───────────────┘
ncm whitelist --add <module@version>
Add one or more modules to your NodeSource organization’s whitelist.
ncm whitelist --remove <module@version>
Remove one or more modules from your NodeSource organization’s whitelist.
ncm orgs
Change your active NodeSource organization, which impacts the whitelist. Defaults to an interactive prompt.
By passing an <orgname>, the interactive part may be skipped.
Input is case sensitive.
ncm config
Access to various configuration settings.
For more information, use the help command: ncm config --help
License & Copyright
Copyright 2019 NodeSource — Contributions via DCO 1.1
Licensed under the Apache License, Version 2.0 — see the LICENSE file for details.
![dependabot[bot]](https://avatars.githubusercontent.com/u/49699333?size=120)
